iSeries Access Through a Firewall

IBM i (OS/400, i5/OS)
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times
As everyone is aware, there are risks involved with remote TCP/IP connectivity. Firewalls are a good way of limiting what type of traffic you will allow in from the outside world, but there are some unique considerations when accessing an iSeries. The iSeries Access for Windows product (formerly Client Access Express) uses a number of different servers when communicating to an iSeries. Each one of these servers communicates using one or more ports, and firewalls have to be configured to allow traffic through these ports. This article explains what ports you need, depending on what functions of iSeries Access for Windows you use. Note that the information given here also applies to all versions of Client Access Express.

To better understand the need for certain servers on the iSeries, you need to understand the connection process for iSeries Access. When a PC running iSeries Access first tries to make a connection, the default behavior is that it will first send a request to the port mapper to find out what port needs to be communicated with. A connection to the Sign-on server is always made first, so the first request sent to the port mapper is to find out what port the Sign-on server is listening on. After connecting to the Sign-on server, the next port to be communicated with will depend on what function of iSeries Access is being performed. If a function that requires an iSeries Access license is being used, then the next server to be contacted will be the Central server. The only functions of iSeries Access that require this license are the PC5250 emulator and the data transfer application. Before contacting the Central server, iSeries Access will ask the port mapper for the address of the Central server. After this, the next port that is contacted will depend on the function being performed. Preceding each request to a different server, the port mapper will be contacted to find the port for that server.

One item to note regarding the Central server is that, in multilingual environments, it could be used for almost any iSeries Access function. When iSeries Access is installed onto a PC, only one language is installed. However, if an application needs to be run in an alternate language, some character conversion may be required. The conversion tables are automatically downloaded from the iSeries to the client via the Central server when needed.

You may be wondering if there is a way to reduce the number of port mapper requests, and the answer is "yes." Although all of the servers used by iSeries Access are shipped with a default port assignment, an administrator can reconfigure each to use a different port. This may be done to avoid collisions with other servers or to make it more difficult for unauthorized individuals to access the system. If the administrator does not change any of the port assignments, then iSeries Access can be configured to just use the default ports (the "Standard" option). In that case, no calls to the port mapper are made, thereby reducing the number of exchanges between the client and the server. It also means that you don't need to open the Port Mapper port in your firewall. Even if the administrator does reconfigure the servers to use different ports, there is an option that can eliminate the port mapper calls. This involves creating a local Services file on the PC that maps each server to the port that it listens on. Then, iSeries Access can be configured to use that local Services file by choosing the "Local" option. Both of these options are available by going into iSeries Navigator (formerly known as Operations Navigator), right-clicking on the iSeries name in the left column, and selecting Properties. Under the Communications tab, there are Performance properties at the bottom that let you choose the appropriate port lookup option. The Server option is the default, and this is the one that forces a port mapper call for each server connection.

In addition to the Sign-on and Central server ports, another port that is used pervasively across iSeries Access is the Remote Command port. If an administrator sets any Application Administration settings, iSeries Access will always make a call to the Remote Command server to retrieve those settings, which are used to determine if the iSeries Access user has the authority to use any function attempted. For example, if the administrator creates an Application Administration setting preventing user JOEUSER from doing data transfers to the iSeries, iSeries Access will use that retrieved setting to stop any data transfer request that JOEUSER attempts. Because of this, plus the fact that iSeries Navigator always requires the use of Remote Command server, you will usually have to ensure that the port for the Remote Command server is open.

Figure 1 lists all of the servers used by iSeries Access and their associated default ports. Note that most of the servers have an additional port listed in parentheses. This port is used if SSL communications is needed. On the iSeries, most of the host servers can be configured for SSL by using the Digital Certificate Manager (DCM) to assign a certificate to that individual server. Once that assignment is made, that host server starts listening on the additional port (in addition to the non-SSL port that was already listening). A common method of forcing all remote clients to use encrypted sessions is to only allow traffic to flow through the firewall on the encrypted ports.

Port Mapper
Port Mapper returns the port number for the requested server.
8476 (9476)
Sign-on is used for every iSeries Access connection to authenticate users and to change passwords. It is also used to retrieve Application Administration settings.
8470 (9470)
Central is used when an iSeries Access license is required. It's also used for downloading conversion tables.
Data Queue
8472 (9472)
Data Queue allows access to the iSeries data queues, used for passing data between applications.
8471 (9471)
Database is used for accessing the OS/400 database.
Remote Command
8475 (9475)
Remote Command is used for sending commands from a PC to an iSeries and for program calls.
8473 (9473)
File is used for accessing any part of the OS/400 file system.
8474 (9474)
Print is used to access printers known to the OS/400.
Web Admin
2001 (2010)
Web Admin is used to access Web applications served by the iSeries.
446 (448)
DDM is used to access data via DRDA. It's also used for record-level access.
23 (992)
Telnet is used to access 5250 emulation.
137, 138, 139, 8474
Netserver allows access to the OS/400 Integrated File System (IFS) from Windows PCs.
USF (or Ultimedia) is used for multimedia data. (Note: This server is being removed in a future release.)
389 (636)
LDAP provides a network directory service.
Management Central
5555 5544 5577 (5566)
Management Central is used to manage multiple iSeries 400s in a network.

Figure 1: These are the ports associated with the servers used by iSeries Access for Windows.

Figure 2 lists some common iSeries Access functions and the servers that they utilize. Using Figure 1 and Figure 2, you should be able to determine which ports you need to open on your firewall. Also, these two tables are available on the iSeries Access Web site, in the Information APARs section. Select II12227. This page is kept up-to-date with the latest information on iSeries Access port usage. There could be additions to this table at any time, although it's likely that changes will be seen only on release boundaries.

Client Access Function
Servers Used
PC5250 display and printer emulation
Sign-on, Central, Telnet
Data transfer
Sign-on, Central, Database
Base iSeries Navigator support
Sign-on, Remote Command
All iSeries Navigator functions
Sign-on, Remote Command, File, Print, Database, Web Admin, Management Central, USF, Netserver, LDAP, Data Queue
Sign-on, Database
Sign-on, Database, DDM, Remote Command, Data Queue
AFP Viewer
Sign-on, Print
Client Access Install from iSeries
Incoming Remote Command
Uses no specific server, and iSeries port will vary. PC-side port is 512.
Fax support
Sign-on, Print

Figure 2: These are the servers used by some of the functions available through iSeries Access for Windows.

In addition to the ports used by iSeries Access, you may need to also open up a port for Domain Name Server (DNS) lookup. If an iSeries Access request to connect to a system needs to flow into your internal network to get the TCP/IP address for that system, the port for the DNS must be open. The default port for that is 53, and the Windows operating system handles getting the address from the DNS. If the iSeries Access user connects to the system by using the TCP/IP address of the system, rather than using the system name, then no DNS request will be required. Also, a request to the DNS for an IP address can be avoided by configuring iSeries Access to set the IP Address Lookup Frequency to "Never Specify IP Address." This property can be set in iSeries Navigator, on the same dialog that's used to change the port look-up (described earlier).

Many of the ports listed in Figure 1 are pre-started once your iSeries becomes active. The standard iSeries Access ports of 449 and those starting with 8 and 9 can be started by using the STRHOSTSVR *ALL command, if they are not running for some reason. In addition, any servers that are not pre-started can be configured to be pre-started by using iSeries Navigator. Selecting "Networking" in the tree of functions under a system name on the left side leads you to an option for TCP/IP servers. This is where you can check a box next to each server that you want to have pre-started.

A couple servers have some exceptions. One is Netserver. It uses four different ports while it is active. However, note that one of those, 8474, is only used internally and does not need to be opened through a firewall. Another special one is Management Central. Port 5544 is required only on V5R1 and later systems and is used for both non-SSL and SSL traffic. Port 5577 is only required for SSL connections between the "central" system and "endpoint" systems.

Of course, you could always choose to allow communications to flow on all ports into an iSeries. However, this will increase your risk of an attack on your system. You should only open the minimum number of ports that you really need in order to allow your users to access your system securely. Every port that you open increases your risk. Another option is to utilize a virtual private network (VPN) as the way of allowing remote connections to your iSeries. With VPN, you create a secure tunnel between the remote location and your server, and there isn't a need to open all the ports individually on your firewall. This is a more secure mechanism, but is much more complicated to get set up. For more information on VPNs, go to the iSeries Information Center and navigate in the left column to Security -> Virtual Private Networking.

Still another option that is available to iSeries Access customers who don't want to spend the time to set up lots of port restriction rules is the iSeries Access for Web product. As the name suggests, this product is designed for Web usage, and it's better suited for access through the Internet. It runs within a Web server on the iSeries, such as the Websphere Application Server (WAS), and does not require any code to be installed on PCs that connect to the system. All communications are through a single HTTP port or a single HTTPS port for encrypted sessions. Therefore, only a single port needs to be opened in a firewall to get to the iSeries. This product does not have all the capability of iSeries Access for Windows, but it has most of the functions that a typical user would require.

Last but not least, another member of the iSeries Access family that uses ports is the iSeries ODBC driver for Linux. This product is specialized for just one function and does not require use of the Sign-on server. In addition, the default setting is to not call the port mapper. So in general, the only port that will need to be opened for this family member is the Database server port. The only other one that could potentially be used is the Central Server, which could be used for downloading conversion tables in multilingual environments.

In summary, there are always risks with remote communications, but by limiting specific traffic through your firewall, you can help to minimize it. Using the tables listed in this article, you now have the information you need. Also, don't forget about the possibility of using iSeries Access for Web. It was designed from the beginning with secure remote access in mind.

Jeff Van Heuklon is currently the Technical Chief Engineering Manager for the IBM iSeries Access family. In this role, he is responsible for iSeries Access strategy, plans, and design control. He can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..



Support MC Press Online

$0.00 Raised:


   Support MC Press Online

MC Contributors Header 785x150

Support MC Press with a contribution of any size.

Your support helps MC Press deliver free quality information about the new and legacy technologies you rely on to IT Professionals everywhere. Our goal continues to be helping you become more productive on the job and get more out of your career. Every contribution, regardless of size, furthers that goal.